Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision | ||
nas_permmissions_in_omv [2021/02/22 20:38] – [A Workstation Logon] crashtest | nas_permmissions_in_omv [2021/04/27 21:37] – [NAS Permissions In OMV] crashtest | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | {{ : | ||
- | |||
- | |||
< | < | ||
Line 8: | Line 5: | ||
- | ====== NAS Permissions In OMV - A Primer | + | ====== NAS Permissions In OMV ====== |
\\ | \\ | ||
\\ | \\ | ||
- | If preferred, this document | + | This document |
+ | \\ | ||
+ | [[https://translate.google.com/|Google Translate]] kann Wiki-Dokumente in Ihre Sprache übersetzen. Fügen Sie die Wiki-URL in das linke Fenster ein und öffnen Sie den übersetzten Link rechts.\\ | ||
+ | [[https://translate.google.com/|Google Translate]] puede traducir documentos wiki a su idioma. Pegue la URL de la wiki en la ventana izquierda y abra el enlace traducido a la derecha.\\ | ||
+ | [[https://translate.google.com/|Google Translate]] peut traduire des documents wiki dans votre langue. Collez l'url du wiki dans la fenêtre de gauche et ouvrez le lien traduit sur la droite.\\ | ||
+ | [[https:// | ||
\\ | \\ | ||
---- | ---- | ||
Line 92: | Line 94: | ||
===== Shared Folder Permissions ===== | ===== Shared Folder Permissions ===== | ||
\\ | \\ | ||
- | By default, the majority of files and folders on the OMV file server are owned and accessed solely by the root user account. | + | By default, the majority of files and folders on the OMV file server are owned and accessed solely by the **root** user account. |
\\ | \\ | ||
The default permissions assigned to a new Shared Folder, in OMV's GUI, are:\\ | The default permissions assigned to a new Shared Folder, in OMV's GUI, are:\\ | ||
Line 101: | Line 103: | ||
These permissions directly correlate to the following: | These permissions directly correlate to the following: | ||
\\ | \\ | ||
- | {{ : | + | {{ : |
+ | \\ | ||
+ | As previously noted and illustrated, | ||
+ | \\ | ||
+ | **In the interests of clarity**: | ||
+ | * What is shown as **Extra options** (above) are **standard Linux permissions**. | ||
+ | * For home server use and to keep server permissions simple, **use standard Linux permissions**. | ||
+ | * What is labeled as **User/ | ||
+ | * “**Others**” means any user that is not **root** or any user that is NOT in the Group users. | ||
+ | \\ | ||
+ | ---- | ||
+ | \\ | ||
+ | ===== Samba (SMB) Network Shares ===== | ||
+ | |||
+ | While a **Shared Folder** is a “base” for sharing files, it is only one part of sharing data. A Shared Folder allows for local access, at the server, but it doesn' | ||
+ | (There are other network sharing techniques, such as **NFS** shares, that are not covered in this document.)\\ | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | As noted in the illustration, | ||
+ | \\ | ||
+ | ---- | ||
+ | \\ | ||
+ | **In the following; Samba**, under **Services**, | ||
+ | \\ | ||
+ | Under **Services**, | ||
+ | |||
+ | * **Shared Folder:** | ||
+ | In this case, we're layering a Samba network share on top of the “Test” Shared Folder, previously created. | ||
+ | * **Public:** | ||
+ | In this case, the entry selected is No.\\ | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | * In the **Test** Shared Folder, we allowed** Others** “**Read**” access. | ||
+ | * If the SMB **Public** field is set to “**Guests Allowed**”, | ||
+ | * Beyond **Public access** choices, Samba assumes that appropriate user permissions have been assigned to the bottom layer, at the Shared Folder level. | ||
+ | * If **Read only** is **ON** (green), **users** with **write** access to the Shared Folder, will not be able to add (write), modify or delete files. | ||
+ | \\ | ||
+ | ---- | ||
+ | \\ | ||
+ | Scroll to the bottom of the **Add share** dialog box, using the slider bar, on the right, or the down cursor key.\\ | ||
+ | \\ | ||
+ | The **Hosts allow**' | ||
+ | |||
+ | Understanding permissions effects, specifically the combination of various settings, is important. | ||
+ | |||
+ | * If a “host is allowed” but the username doesn' | ||
+ | * If a host is denied but the username has access, the result is still **denied**. | ||
+ | * Consumer router behavior is not always consistent. | ||
+ | * Many consumer routers do not consistently map host names to IP address which may make “allow” or “deny” by host name inconsistent.\\ | ||
+ | \\ | ||
+ | For these reasons and more, host entries should NOT be used without closely considering their effects.\\ | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | **Extra options: | ||
+ | \\ | ||
+ | However a “**write list**” will allow an administrator to selectively bypass the Samba **Read only** switch. | ||
+ | \\ | ||
+ | The same could be done for the Group **users** | ||
+ | Adding this statement would allow the entire Group **users**, **write** access while restricting **Others** with the **Read only switch**.\\ | ||
+ | \\ | ||
+ | ---- | ||
+ | ===== ACL's - Extended Permissions ===== | ||
+ | \\ | ||
+ | ==== General ==== | ||
+ | \\ | ||
+ | **Extended Permissions** are not native to Linux. | ||
+ | \\ | ||
+ | Again, note the following: | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | Where possible, use **Standard Permissions** (labeled as **Extra Options**).\\ | ||
+ | \\ | ||
+ | ---- | ||
+ | \\ | ||
+ | In the context of a NAS, used as a home server, ACL's should be avoided. | ||
+ | \\ | ||
+ | For instance, in the example group **users** we have two adults **Fred** and **Mary**, and their two children **Johnny** and **Betty**. | ||
+ | \\ | ||
+ | Following is a potential use of ACL's that would allow parents access to a share while denying their children access:\\ | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | Note the check marks under **No access** for **Johnny** and **Betty**. | ||
+ | \\ | ||
+ | **Johnny** and **Betty** will have no access to the **Test** share, while the remaining users in the Group **users** will have **Write**. | ||
+ | \\ | ||
+ | ---- | ||
+ | \\ | ||
+ | ===== Permissions Overview ===== | ||
+ | \\ | ||
+ | The following, moving left to right shows the hierarchy of Standard Linux permissions and the network permissions that are layered onto it, with Samba. | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | ---- | ||
+ | \\ | ||
+ | ==== Practical Permissions Examples ==== | ||
+ | \\ | ||
+ | (In the following examples root, as the owner, is assumed.)\\ | ||
+ | \\ | ||
+ | In the examples, the list of users are as follows:\\ | ||
+ | Fred – IworkOT\\ | ||
+ | Mary – 2kids2feed\\ | ||
+ | Johnny – Ihatechores\\ | ||
+ | Betty – Iwashdishes\\ | ||
+ | \\ | ||
+ | All users are in the default Group **users**. | ||
+ | \\ | ||
+ | ---- | ||
+ | \\ | ||
+ | === A Media Share === | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | * In the Shared Folder, the group **users** have **write**. | ||
+ | * Samba Public access is set to **Guests allowed** which works with the Shared Folder permission **Others: Read** | ||
+ | * **Read Only is ON**. This will further restrict the Group users down from **Write** to **Read only** access. | ||
+ | * The Samba **'' | ||
+ | \\ | ||
+ | === A Group Share === | ||
+ | \\ | ||
+ | (A location for sharing files among all family members or members of a group.)\\ | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | * The Group **users** have **write**. | ||
+ | * While **Others** have **read**, at the Shared Folder, SMB **Public** is set to “**NO**” which stops all users who are not in the Group **users**. | ||
+ | * **Read only** is **OFF** so Shared Folder permissions allow all members of the Group users to write to the share.\\ | ||
+ | \\ | ||
+ | === A Restricted Share === | ||
+ | \\ | ||
+ | This share is for private information, | ||
+ | \\ | ||
+ | A significant point to be made about this example is that one or more users can be set to **Read only** or **No Access** without disturbing the access of the remaining members of the Group **users**. | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | Shared Folder settings are as shown below:\\ | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | After selecting group usernames for **No access** (or **Read-only**) it's important to turn **Recursive ON** (green), before clicking the **Apply** button. | ||
+ | \\ | ||
+ | **Note: | ||
+ | The above could also be achieved by creating a new group created under; **Access Rights Management**, | ||
+ | \\ | ||
+ | === A Personal / Private Share === | ||
+ | \\ | ||
+ | A private share for an individual user could be created using ACL's and setting all users, but one, to **No access**. | ||
+ | \\ | ||
+ | Note the names of the newly created groups, below, and the usernames in each group. | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | In this case, the Group **Fred** (with a single user **Fred**) has **Write**. | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | ---- | ||
+ | ===== The Bottom Line ===== | ||
+ | \\ | ||
+ | If all data is stored in a single share, assigning the appropriate permissions might range from difficult to impossible. | ||
+ | \\ | ||
+ | ===== Permissions Notes: ===== | ||
+ | \\ | ||
+ | * Additions of new users or changes to existing user accounts, such as password changes, would need to be replicated at the server. | ||
+ | * Some use cases may benefit from using the [[https:// | ||
+ | * Win10 workstations may need a few network configuration changes to access a server in a peer-to-peer network. | ||
+ | \\ | ||
+ | ---- | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||